Credentials as commandline arguements should be forbidden


#1

https://github.com/sensu-plugins/sensu-plugins-aws/issues/2

I am open to discussing this further as it would be a rather drastic change but one I think should be made and enforced hard.

In a nutshell I think no plugins should accept any type of tokens, keys, or passwords as commandline arguments. User names are not as big of a deal IMHO but Sensu was built for the cloud and many of us, myself included, use configuration management tools to deploy it. The sensu-community-plugins will remain untouched but the new gems being built, I feel, should not allow passing of credentials.

The aws-sdk gem has was designed with this in mind and can use env variables, roles, etc and in the case of other scripts, for example the github plugins, you could create a simple text file and put it somewhere like ~/.ssh or ~/.secret with 600 permissions. In Windows I believe you could do the same type of thing or maybe leverage AD?

I bring this up as any new functionality needs to be platform independent as much as possible, UNIX tools such as df and grep are great but not all of us are lucky enough to have jobs that don’t require us to manage Windows boxes ;

One possible solution is something like this:

option :token         , short: '-t TOKEN'         , long: '--token TOKEN'         , description: 'Github OAuth Token'         , default: SensuPluginsGithub.acquire_git_token
def self.acquire_git_token
  File.readlines(File.expand_path('~/.ssh/git_token')).each do |line     | return line end

This is non-breaking and is how I implemented it quick and dirty on the github plugins and in GIR.

The new gems would remove the ability entirely at some point to pass them in at all and require either creating a file or using a configuration management tool.

I am open to being told I am crazy and this is a bad idea, but barring any real discussion or dissent, as I refactor the various scripts I will be depreciating all methods of passing in creds via the commandline and will instead require the user to pass in the location of a file or some other automated method.